Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

Monitor Active Directory and Group Policy

A healthy Active Directory and properly functioning Group Policy operations are critical to security for domain computers and users. A large number of security operations in every domain rely on them. Among the security functions of Active Directory, Group Policy, and their related services are

Authentication. The AD database stores user, group, and computer accounts and passwords.

The netlogon service is part of the authentication process. If net-logon fails, authentication fails.

Special operational roles, such as the PDC emulator, are critical. If the PDC emulator is not available in the domain, account lockout is possible, and time synchronization may not occur. If the RID master is unavailable and the domain controller uses its supply of relative IDs, new accounts cannot be created.

Security configuration. Security settings are configured in Group Policy objects. Some of the GPO data is stored in the AD and replicated via AD replication. (Additional data is stored in the folder and replicated using the File Replication Service [FRS]). If AD and the SYSVOL shared folder do not replicate properly, security policy can fail.

If AD replication fails, new logon credentials are not available, and changes to account status such as deleted or disabled accounts will not be consistent across domains. If new accounts and credentials are not available, it may mean denial of service for legitimate users. If information on disabled and deleted accounts is not available, it can mean system compromise.

Storage and protection of critical Windows network information. The Active Directory stores information on every computer and every user in the forest as well as site and subnet information.

To ensure smoothly functioning Active Directory and Group Policy operations, do the following:

Monitor related services such as netlogon, DNS, Event Log, File Replication, KDC, Resultant Set of Policy Provider, and Server.

Create a baseline by collecting data for a time period that covers peak and low usage, such as during peak logon times in the A.M. and through password change policy and month-end activity. Use the baseline as a judge of unusual activity. Create new baselines periodically.

Monitor disk space on drives that contain the Active Directory database and log files. Low disk space can prevent replication from occurring and cause other problems. The performance monitor tool can be configured to watch and alert when disk space is low.

Consider the use of specialized monitoring products such as Microsoft Operations Manager (MOM). These solutions can make monitoring a large enterprise a manageable task.

Thoroughly learn built-in and freely downloadable Microsoft tools for monitoring. In many cases, these tools may do an adequate job, or may be able to gather enough information to show the value of the monitoring process so that a larger, more comprehensive tool or suite of tools can be justified. In addition, many of these tools are quick, operate at the command line, and can be used by anyone with the appropriate administrative operating systems privileges. Third-party tools should be and often are restricted to smaller groups of administrators, yet some information is valuable to a larger group.

Develop a response plan. Its not enough to know that there is malfunctionyou must know how to deal with it. It may be a simple networking or configuration error, or it might be the result of an attack. Without a planned approach, your response can be crippled by indecision, inactivity, or delegation of the problem to the wrong person for solution.

Use the following utilities to monitor its operation. In addition to general tests, be sure to monitor AD replication and the File Replication Service (FRS).

Use dcdiag for an Overall Health Report

dcdiag.exe is a Windows Support tool that is composed of many tests of domain controller operations. Information on using dcdiag for troubleshooting Group Policy is included in Chapter 9, "Troubleshooting Group Policy." This section provides an overall review of dcdiag for overall Active Directory health monitoring. You can use this tool to test specific DC functionality or as a baseline report on overall health. A good practice is to periodically use the tool to prepare a report from as many of its tests as possible. The command dcdiag.exe /a /v /c /f: dcreport.txt will run most dcdiag tests (all except dcpromo and RegisterInDNS) and place detailed results in the dcreport.txt file. Figure 19-9 displays a portion of the file produced by the command.

Figure 19-9. Use dcdiag for a comprehensive report on Active Directory function.

Chapter 3 of my e-book "Five Key Lessons to Securing Active Directory" in the technical library at www.redmondmag.com.

Table 19-4. Dcdiag Tests

Test

Description

Use Results

Connectivity

Tests connectivity to directory services. Determines site information and which servers and DCs exist. Tests Light weight Directory Access Protocol (LDAP) services, Remote Procedure Call (RPC) services, and checks each DCs registration in DNS.

A connectivity test pass confirms both network connectivity and DC registration in DNS. Failure points to a specific area to check.

Replication

Tests replication for errors.

Pass on all these tests means that AD replication is OK. Failures point to specific items to troubleshoot.

Topology

Tests topology configuration and integrity.

CutoffServers

Determines if replication partners can be reached.

NCSecDesc

Checks replication permissions.

Netlogons

Check logon privileges for replication.

Advertising

Can domain services be located? Domain services are DC, LDAP server, writeable directory, KDC, timeserver, GC (if applicable).

A pass here means that DC activity is normal. This test fails if the netlogon service has stopped working.

KnowsofRole Holders

Determines if each DC can locate the domain and forest FSMOs.

A pass means that all FMSOs are working. Failures point to items to troubleshoot.

RidManager

Binds with RID master and reports RID Pool numbers, RID master DC.

MachineAccount

Tests to see if the machine account for each DC is registered and its services advertised.

A pass means that all normal DC services available. Two dcdiag switches can be used to attempt repairs if these tests fail. Use /RecreateMachineAccount to attempt a repair or run and /FixMachineAccount if machine account flags are reported to be incorrect. Rerun the /MachineAccount test.

Services

Tests operation of domain services such as dnscache, NtFrs, IsmServ, kdc, SamSs, LanmanServer, Lanman Workstation, RpcSs, w32time, and netlogon.

OutboundSecure Channels

This test will not run when dcdiag /c is entered. Run this test separately and include the domain name. When properly run, tests outbound secure channels.

A pass documents the proper formation of outbound secure channels.

Objects Replicated other

Determines if domain account and DSA objects are replicated.

A pass confirms that domain information is replicating to DCs in the domain.

Frssysvol

Checks the status of SYSVOL.

A pass means basic FRS services are functioning.

Frsevent

Browses FRS event log for errors and reports.

Kccevent

Checks operation of the knowledge consistency checker (KCC).

A pass means there have been no KCC errors in the last 15 minutes.

Systemlog

Checks the system log for errors.

A pass indicates no errors in the last 60 minutes

CheckSDRef Dom

This test will not run when dcdiag /c is entered. Run separately to determine if application directory partitions have security description reference domains. The security reference domain is the domain used to determine the default security descriptors for domain objects.

A pass means domain objects will have security descriptors defined based on the same reference.

VerifyReplicas

Tests to see that application directory partitions are complete on all replica servers.

Pass means FRS is OK.

CrossRef Validation

Checks validity of cross-references. Cross-references allow a DC to be aware of all directory partitions in the forest.

VerifyReferences

Checks system references for FRS and it replication infrastructure within a domain.

VerifyEnterprise References

Checks system references for FRS and its replication infrastructure across all objects on each domain controller.

Intersite

Checks site connections.

All sites have connections to another site.

FsmoCheck

Determines location of GC, timeserver, KDC, and PDC.

Reports locations.

Running dcdiag and getting back a pass on all tests provides a good indicator that all is well with Active Directory. Its also a reasonable indication that DNS is functioning and includes appropriate service resource records because DNS is used to locate domain services. Because both DNS and Active Directory can be presumed OK, the likelihood of Group Policy being operational is also good. However, note that the status of services can change over time and that Group Policy operations are not tested directly. dcdiag just allows you to conclude that the proper infrastructure for Group Policy is operational.

Monitor Active Directory Replication

By ensuring proper DNS operations, you eliminate a major contributor to AD replication problems. Before replication can occur, the DC must locate its replication partner(s) using the following method:

1.
Find the GUID of the replication partner by looking in CN=NTDS Settings, CN=name-of-server,CN=Servers,CD=Site_name, CN=Sites, CN=Configuration, DC=domain_name, DC=Domain_name_extension. DNSLint finds these GUIDs and then does a DNS lookup for the CNAME and glue record. You can manually look up the GUID using ldp.exe, as shown in Figure 19-10.

Figure 19-10. The GUID of the replication partner is the only AD information available.

[View full size image]

2.
Query DNS for the CNAME associated with the GUID. The CNAME is of the form guid.msdcs.forest.root and identifies the DC name, as shown in Figure 19-11.

Figure 19-11. A DNS query can obtain the CNAME from the GUID.

[View full size image]

3.
A second DNS query for the host record for the DC and its associated IP address is shown in Figure 19-12.

Figure 19-12. A DNS query can obtain the host record if the DC name is known.

[View full size image]

Use DNSLint

You can use DNSLint to automatically make these inquires for all DCs. Figure 19-13 shows the result. A successful test documents that the GUID record is in DNS and means that replication partners can find each otherthis must occur before replication can occur.

Figure 19-13. DNSLint finds the GUIDs in Active Directory and then does a DNS lookup.

[View full size image]

Use replmon.exe

Use replmon.exe to display information about replication and replication partners. To use replmon.exe, follow these steps:

1.
Open Windows Explorer and navigate to the Program Files, Support Tools folder.

2.
Double-click replmon.exe.

3.
Right-click the Monitored Servers node and select Add monitored server. Click Next.

4.
Enter the name of the DC to monitor, click Next, and then click Finish.

5.
Expand and select one of the nodes to see replication data in the detail pane, as shown in Figure 19-14.

Figure 19-14. Information on replication can be observed by using replmon.

[View full size image]

In the figure, a red circle with a white cross identifies an error. The screen has been scrolled to the error message in the detail pane. The error indicates that a replication attempt has failed and the reason for the failure as a DNS lookup. Because the server had recently been restarted, the replmon tool was used to request synchronization with the servers replication partner (right-click the node and select Synchronize with this Replication Partner), and then the View menu was used to refresh the data. This time, replication was successful, indicating that the failure was probably a result of the server being temporarily offline.

Use Replication Diagnostics Tool

Use the Replication Diagnostics Tool (repadmin.exe) to check replication links and latency. It also provides a summary of replication between partners. You can find out which replicated data has been received by which DCs and when they received it. Use the tool to generate a list of replicated objects and compare to find out if all DCs are receiving the information. If items are not being replicated to some DCs, use tools such as dcdiag and DNSLint to determine if network connectivity, DNS records, or the DCs operation may be the problem. Repadmin can also be used to force replication or to force KCC to run and select replication partners. Replication statistics are displayed using repadmin /replsummary name_of_dc, as shown in Figure 19-15.

Figure 19-15. Information on replication can be observed by using replmon.

[View full size image]

Use the Directory Services Utility

The Support Tool Directory Services Utility (dsastat.exe) is used to determine if domain controllers are up-to-date with each other. dsastat also checks the GCs information to ensure that its up-to-date with DCs in other domains. When DCs are up-to-date, they present a consistent and accurate picture of their own domain. dsastat.exe can be used to test GCs to see if their information is consistent with DCs in each domain.

For example, to test consistency in the forest chicago.local, use the names of all child domains. The command dsastat -s:regalinn; motorin -b:DC=chicago,DC=local sort:true compares the objects in the chicago.local domain across the two DCs: regalinn and motorin. By default, all objects are checked. You can specify objects, such as user groups, by using the filter parameter. Table 19-5 lists and describes the parameters used in the command as well as the additional parameters that can be used.

Table 19-5. Dsastat.exe Command Parameters

Parameter

Description

-s:servername[portnumber]

;servername[portnumber]…]

A list of DCs in the domain by server name.

-b:Searchpath

The directory name for the part of the directory to search, such as an entire domain, or just an OU.

-qcattrs:all

In this case, lists all objects. You can specify the objects to list.

-sort:{TRUE|FALSE}

Sort results by object GUID. This can make the comparison slower in a statistical sort but faster in a full content comparison. It ensures object results are returned in nearly the same order from different servers.

-t:{trUE|FALSE}

Perform statistics comparison or full content. A statistics comparison (set to true, the default) simply counts objects and ignores the qcattrs parameter. A full content comparison checks the attributes of objects including permissions.

-p:{1-999]

Pagesize (default is 64). Indicates the number of items to be returned per page for the ldap_search operation. Use a smaller page size if directory objects are large.

/loglevel:{INFO|TRACE|BOTH}

The extent of logging that can be requested. The default is INFO.

/output:{SCREEN|FILE|BOTH}

Location to report data. Default is screen.

/scope:{BASE|ONELEVEL|SUBTREE}

Extent of the scope for the search. Default is subtree.

/Filter:LdapFilter

The attributes to be returned. The default is "(objectclass=*)" indicating to return all objects.

/gcattrs:{[LDAPAttributes [Attribute;Attribute…]]| [Objectclass]|auto]|[All]

Specifies attributes to be returned from the search. The use of "Objectclass" indicates no attributes should be returned. The use of "auto" specifies only those in the global catalog should be returned.

/U:UserName

Name of a user to use for the query.

/pwd:password

The users password.

/d:domain

Domain to use for authenticating the user name.

The report lists each object checked and sums the information at the end. Figure 19-16 is a capture of the end of the report.

Figure 19-16. Information on replication can be observed by using replmon.

Use checkrepl

Use the Resource Kit tool checkrepl.vbs to view the replication topology of a specific DC. checkrepl.vbs regalinn lists the inbound and outbound replication neighbors and the date of the last successful replication. The property update number (the latest revision number) for each partition is listed, as is the protocol used for replication and the GUIDs of outbound partners. Running the command on other DCs in the domain provides information for comparison. Figure 19-17 displays the results of entering the following command:


Cscript checkrepl.vbs motorin

Figure 19-17. checkrepl reports replication topology for a DC.

[View full size image]

Monitor FRS Replication

File Replication Service replicates the contents of the SYSVOL directory. Files in this directory are especially important to Group Policy, and this is also the location of logon and logoff scripts. FRS also can be used to replicate files unrelated to Active Directory. Two tools, FRS Health Check and FRS Diag, can be used to collect massive amounts of data relevant to FRS replication and Active Directory health. FRS Health Check runs a script, while FRS Diag presents a GUI interface. Other FRS monitors are gpotool, sonar, and ultrasound. Both sonar and ultrasound are monitoring tools that can be turned on and left to gather statistics during normal operation.

Use FRS Health Check

Use FRS Health Check (FRSHealth_CHk), a command-line support tool that monitors FRS, to retrieve FRS information from a specific DC or server. FRSHealth_CHk uses multiple support and resource kit tools as listed in Table 19-6 and collects FRS-related events from the Application, System, DNS, Active Directory and FRS event logs. Running FRSHealth_CHk against a selection of servers on a daily basis is a good monitoring option as it provides detailed information from a number of important tools. To select which servers to monitor, consider how FRS is used. To only monitor SYSVOL replication, select appropriate DCs, such as DCs used when changing Group Policy.

Table 19-6. Tools Used by FRSHealth_CHk

Tool

Purpose

connstat.cmd

Summarizes the status of FRS connections to and from a specific server using the results of ntfrsutil.exe.

dcdiag.exe

Checks DC status.

eventquery.vbs

Lists and filters events from event logs.

Iologsum.cmd

When the inlog, outlog, or idtable parameters are used with ntfrsutil.exe, information on pending inbound or outbound FRS change orders is collected in the inlog and outlog reports, respectively. Iologsum uses this raw data and creates a summary. This data can point out problems with FRS replication, such as changes not being replicated to all servers.

netdiag.exe

Diagnoses network connectivity problems.

ntfrsutil.exe

Analyzes events recorded during dcpromo as well as transaction and event details of FRS.

reg.exe

Used to add, change, import, and export registry subkeys.

repadmin.exe

Used to monitor AD health, view replication topology, force replication events, and view replication data.

topchk.cmd

Produces reports on topology and server replication partners using the results of the ntfrsutil command.

To issue the command, use the following:


Health_chk result_dir [target_computer]

As the tests are run, status information is reported. If no directory is specified in the command parameter result_dir, a default directory named for the server tested is created.

Use frsdiag

frsdiag.exe is a GUI-based tool that can provide much of the same information as FRSHealth_CHk. frsdiag produces a text file and a CAB file that can be sent to Microsoft for analysis. Tools and tests used by frsdiag are listed in Table 19-7.

Table 19-7. frsdiag.exe Tests and Tools

Tool

Description

DS Event Log

Checks the directory services event log for errors during the last 12 days.

ForceReplication

Forces replication.

FRS Debug Logs

Reports file replication errors.

FRS Event Log test

Looks in the FRS event log and reports errors and warning from the past seven days. Also looks for 13508 warnings that are unmatched by 13509 events. 13508 indicates FRS problems, and 13509 indicates a resolution.

GUIDName

Builds a server GUID-to-name reference for a server.

Ntfrs_config Table

Checks free disk space. Checks FRS structure including the Sysvol folder, junction point, and the staging area folder.

Ntfrs_connstat

Warns when the number of backlog files is greater than 30. Reports an error when backlog files number greater than 100. Backlog files are files that need to be replicated.

Ntfrs_DS Services

Identifies broken or missing objects and object references.

Ntfrs_Replica Sets

Finds replication schedule issues.

Ntfrs_stage

Checks staging area size and warns when reaching limits.

Ntfrs_versions

Verifies FRS version requirements.

Propagation File Tracer

Checks current FRS replication consistency. Each server should have the same number of files and folders.

Registry dump

Dumps FRS Registry entries.

Repadmin/showreps

Looks for failed AD replication events.

Services and Shares

Tests NTFRS, W32Time, netlogon, server, workstation, and RPC services. Looks for Sysvol and netlogon shares.

Set Debug Logging Settings

Remotely changes or deletes NTFRS Debug Logging Registry values.

To use frsdiag.exe, follow these steps:

1.
Open Windows Explorer and navigate to the Program Files\resource kit\frsdiag folder.

2.
Double-click the frsdaig.exe file to open the GUI, as shown in Figure 19-18.

Figure 19-18. The FRSdiag tool allows selection of tests and tools to run.

[View full size image]

3.
Select the local server or browse to another DC.

4.
Review the information to be used and gathered in the interface or use the Tools menu to select tests to run. To run the tests, click GO. Log files are created with the results of the test. The pass/fail results of tests are displayed in the detail screen, as shown in Figure 19-19.

Figure 19-19. Pass/fail results are displayed in the tool.

[View full size image]

The results of tests can be logged to the FRSdiag folder for review.

Use GPOTool

Check the sysvol consistency with Active Directory replication using the Resource Kit tool GPOtool.exe. Group Policies are replicated in part by Active Directory and in part by FRS, so it is possible that if either replication process is not performing, GPO data can be inconsistent. Running gpotool.exe without any parameters lists the GPOs and the results of all tests. Sample output is displayed in Figure 19-20. The Group Policy Management console can also be used to display consistency information.

Figure 19-20. Use gpotool for a quick check of sysvol replication consistency with Active Directory Replication.

[View full size image]

Use Sonar

Use sonar.exe to view the status of FRS. Traffic levels, backlog, and other statistics for replica sets are logged to a file and can be viewed in a special viewer. Sonar will also detect the sharing violations that can occur when a client leaves a file open. Open files cannot be replicated. To use the tool, follow these steps:

1.
Start the tool from the Help and Support interface to load a window for configuration, as shown in Figure 19-21.

Figure 19-21. Start sonar to monitor FRS.

2.
By default, the domain of the current computer and the SYSVOL share are configured for testing. Change this information using the drop-down boxes as appropriate. When first testing the tool, reset the refresh rate to one minute in order to view some results faster. Be sure to reset sonar to collect data more infrequently for production use.

3.
Click the View Results button to display the SonarWindows File Replication Service Viewer.

4.
From the File menu, select Log and use the popup shown in Figure 19-22 to start logging.

Figure 19-22. Start sonar to monitor FRS.

5.
As sonar refreshes, statistics are added, as shown in Figure 19-23.

Figure 19-23. A quick visual of the statistics can be viewed.

[View full size image]

A command line can also be used to start logging data.

To install the tool and start the log, enter this command:


Sonar /i /s configuration_file_name

To stop data collection, uninstall sonar using this command: Sonar /u

Use Ultrasound

Use ultrasound to monitor and notify via email when replication problems are occurring. Ultrasound installs WMI providers on the replica set servers, centrally collects FRS replication data, and analyzes it looking for problems. Download ultrasound from http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4f98-a823-24cc0da73b50&DisplayLang=en.

Monitor Group Policy Operations

If Group Policy operations fail, modified security settings will not be replicated to the computers and users. There are several options for confirming the health of Group Policy.

Use the Application Event Log

Application event log event 1704, displayed in Figure 19-24, indicates that Group Policy is applying security settings. This is scheduled to occur every 16 hours. Monitor for the presence of this event. If the event is not being written to the log, something is wrong with Group Policy operations.

Figure 19-24. This normal event should appear every 16 hours in the application event log; if it doesnt, its cause for alarm.

Use GPResult

GPResult can be used to list which GPOs were applied and when. To use the command to dump information to a text file, enter gpresults /V > textfilename.txt at the command line. You must run this command while logged on as the user you want to test policy for on the computer you wish to test policy for. It is more efficient to use the Group Policy Management consoles Group Policy Results tool. However, gpresult is a good tool if you are sitting at the computer console of the computer you want to test. It can also provide validation for results obtained using the Group Policy Management console.

Use Gpmonitor

Use gpmonitor.exe to centrally collect and analyze Group Policy changes:

1.
Locate the gpmonitor.exe tool in the resource kit directory.

2.
Double-click the gpmonitor.exe tool.

3.
When prompted, enter or browse to a location to extract the tool files to.

4.
Use Group Policy software installation (use machine assignment for deployment type) to deploy the GP Monitor.msi to DCs. Also distribute the gpMonitor.adm files (you should then add gpMonitor.adm to the Default Domain Controller GPO as described in steps 6 to 10). All DCs must run the agent. The installed service, gpmonitor, automatically captures policy change information when Group Policy changes are made and uploads the information to a share defined using the gpmonitor.adm file. The service does not listen on the network.

5.
Create a share for uploading the policy changes.

6.
Open the Default Domain Controller GPO.

7.
Navigate to and right-click the Windows Settings, Security Settings, Administrative Templates folder, and then select Add/Remove templates.

8.
Click Add and select the GPMonitor.adm file, and then click Open followed by Close.

9.
Expand the Administrative templates node and select to open the Group Policy Monitor folder. Double-click the Group Policy Monitor icon in the detail pane to display its Settings page.

10.
Enter a UNC path to the share, as shown in Figure 19-25, that will be used for policy information uploads.

Figure 19-25. Enter a path for the share.

11.
Accept or change the refresh number for policy change upload. Click OK.

12.
At a command prompt, enter gpupdate to force a policy refresh.

13.
Open a GPO in the Group Policy Editor and make some change to the GPO. (Never make arbitrary changes. Even in a test network, know the result of the change before implementing it. )

14.
Open the Group Policy Monitor tool installed in the Administrative Tools folder to launch the user interface.

15.
From the File menu, select New Query.

16.
List machines to use in the query or leave the asterisk (*) in place to query all machines.

17.
Enter the number of refreshes to display, as shown in Figure 19-26, and then click GO.

Figure 19-26. Define the query by entering computer names and number of refreshes.

18.
Right-click a Machine Policy Refresh by date, as shown in Figure 19-27, and select Generate RSOP Report. A refresh with a red mark denotes that the refresh included a policy change.

Figure 19-27. An x within a circle indicates a policy change occurred during the refresh.

[View full size image]

19.
When complete, view the report to note the changes.

Use Performance Monitoring

Performance monitoring is not usually considered to be security monitoring. However, some data gathered by performance monitoring tools such as the built-in Windows Server 2003 Systems Monitor and Performance Logs and Alerts tools can be used in security monitoring. You can create logs and alerts using the Performance Logs and Alerts tool and view the results or create live monitors using Systems Monitor. Entering perfmon at a command prompt opens both tools in an MMC console. Examples of uses for performance monitoring data for security monitoring are as follows:

Monitoring for low disk space on Active Directory database and log file disks

Alerting on attack indicators

Use Performance Logs and Alerts to Alert on Low Disk Space

Low disk space can cause any number of programs to fail and may cause problems for virtual memory. The Active Directory database and log disks should be monitored to ensure that adequate disk space is available. Set an alert to warn you when disk space is getting critically low. To do so:

Determine drives on which disk space issues can cause critical failures. For a domain controller, these disks are the database and log disks.

Determine how much disk space is required.

Set an alert using the System monitor tool to warn when disk space is low.

Monitor for your practical usage and adjust this figure as necessary.

Determine Disk Space Required

A basic formula for requiring disk space is provided in the Microsoft Windows 2000 resource kit (http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/core/fnee_exa_skbl.asp). It includes:

1.
Start with 1 GB.

2.
Add the size of all applications, including their database and/or log files. If you have isolated the logs or database on their own disk, the size of applications may be zero.

3.
Add the size of the paging file if the paging file uses this disk. (General recommendations for paging file size are twice the amount of memory. Space on multiple disks may be allocated.) If no space is allocated, nothing needs to be added.

To this good start, add the following:

1.
If this is the first DC, start with size of the installation database and log files. Double that size at least and add it in step 2.

2.
If this is a new DC in an established domain/forest, use the current size of the database and logs.

3.
Monitor the size of the database and/or logs periodically to estimate growth over time and adjust the size of the disk requirement according. Allow for rapid growth during initial installation of the forest and at peak times when large numbers of objects are added.

4.
Then, as the resource kit indicates, multiply by 130 percent to allow room for expansion.

The total figure produced by these steps is the total disk space required. Since you need to alert when the "minimum" free space is left on the disk, subtract the amount estimated before multiplying by 130 percent (the amount after step 3 but before step 4) from the total disk space required. The result of this calculation is the minimum amount of free space that should always be present on the disk. Since the System Monitor alert is in %free space, calculate the percentage of the disk used for the AD database and logs that this figure represents. Be sure to periodically recalculate to obtain current requirements.

Set an Alert

Although you may want to establish many disk counters to measure disk performance, these instructions just detail how to set up a monitor to warn of disk space issues:

1.
Install the logical disk counters by opening a command prompt, typing diskperf -yv, and then press Enter.

2.
Restart the server to load LogicalDisk counters.

3.
Click Start, Run, and then type perfmon and press Enter. This starts System Monitor.

4.
Expand the Performance Logs and Alerts tree.

5.
Right-click Alerts and click New Alert Settings.

6.
Enter a name for the alert, and then click OK.

7.
Enter a comment. "Monitors disk space on AD database drive X" is a good comment. X is the letter of the drive this alert is for.

8.
Click Add to open Select Counters.

9.
Click Select Counters from computer and click the DC in the list.

10.
Select the Performance object drop-down box and select LogicalDisk.

11.
Click Select instances from list and select the drive to monitor.

12.
Click Select counters from list and click % Free Space, as shown in Figure 19-28.

Figure 19-28. Select the DC and drive to monitor.

13.
Click Add and then click Close.

14.
On the General tab, in the Alert when the value is box, click Under and then set the Limit value, as shown in Figure 19-29, to at least the value you estimated as required for growth.

Figure 19-29. Set the value.

15.
Adjust the Sample data every setting to something that makes sense for your environment and then click Apply.

16.
On the Action tab, click Log an entry in the application event log and configure other actions, such as sending a network message, starting a performance data log, and running a specific program, as shown in Figure 19-30. The latter choice may be used to send an email.

Figure 19-30. Set the action the event should trigger.

17.
Click the Schedule tab and set the time to start the scan.

18.
Click OK to save the alert.

Use Performance Logs and Alerts as Early Warning Signs of Possible Attacks

Information in the event logs may help you identify problems, identify security incidents, and provide an audit trail for evaluation after the fact. Monitoring the event logs for this information in real time is not a chore for manual review. System Monitor can help. It can be used to alert you to unusual circumstances and provide information that may help you determine whether unusual activity is a troubleshooting issue or a security incident. For example, System Monitor can be used to focus on the number of failed logons and send an alert when they exceed some number. (Determine what is normal for your environment and set the alert for some number over that.) This can provide you with an early warning that there may be a possible password-cracking attack underway.

Some counters to monitor are

Errors Access Permissions

Errors Granted Access

Errors Logon

Create a log of events over time to find the baseline for your environment, then create alerts to help you identify possible security incidents. Continue to log events as a record.

To log events, follow these steps:

1.
Right-click the Counter Logs node.

2.
Enter a name for the new log.

3.
Click Add Counters.

4.
Select the computer in the Select counter objects from computer or select Use local computer objects.

5.
Select the Performance Object, such as server.

6.
Select the counter from the list provided. Click Add to add the counter.

7.
Repeat until you have added all the desired counters, and then click Close.

8.
Adjust the sample interval and click Apply.

9.
Use the Log Files tab to configure log files; for example, you may want to select a log file type of comma delimited in order to store data in a database for viewing, or select SQL server format if you want to log data directly to a SQL server database.

10.
Use the Schedule tab to dictate when the recording should start.